October 30, 2014

RIM Releases Details of Vulnerabilities in BlackBerry Enterprise Server

(LiveHacking.Com) – RIM has released a security advisory to address a vulnerability in the BlackBerry MDS Connection Service and BlackBerry Messaging Agent for the BlackBerry Enterprise Server.

Vulnerabilities exist in how they process PNG and TIFF images for rendering on the BlackBerry smartphone.

Successful exploitation of any of these vulnerabilities might allow an attacker to gain access to and execute code on the BlackBerry Enterprise Server. Depending on the privileges available to the configured BlackBerry Enterprise Server service account, the attacker might also be able to extend access to other non-segmented parts of the network.

The issue affects the following software versions:

  • BlackBerry® Enterprise Server version 5.0.1 through 5.0.3 MR2 for Microsoft Exchange
  • BlackBerry® Enterprise Server version 5.0.1 through 5.0.3 MR2 for IBM Lotus Domino
  • BlackBerry® Enterprise Server version 4.1.7 and version 5.0.1 through 5.0.1 MR3 for Novell GroupWise
  • BlackBerry® Enterprise Server Express version 5.0.1 through 5.0.3 for Microsoft Exchange
  • BlackBerry® Enterprise Server Express version 5.0.2 and 5.0.3 for IBM Lotus Domino

BlackBerry Enterprise Server version 5.0.3 MR3 and later for Microsoft Exchange and IBM Lotus Domino are not affected, neither are the actual BlackBerry smartphones.

Top 10 Passcodes to Avoid Using on Your iPhone

Daniel Amitay, the developer of Big Brother Camera Security, added some code his app to anonymously record common user passcodes and the results are quite interesting. The app collected 204,508 passcodes and Daniel discovered that 10 common passcodes were used in over 15% of the cases. This means that you have a greater than 1 in 10 chance of breaking into someones cell phone by just trying the ten most common passcodes listed below.

  1. 1234 – 8,884 uses or 4.34%
  2. 0000 – 5, 246 or 2.5%
  3. 2580 – 4,753
  4. 1111 – 3,262
  5. 5555 – 1,774
  6. 5683 – 1,425
  7. 0852 – 1,221
  8. 2222 – 1,139
  9. 1212 – 944
  10. 1998 – 822

As expected, 1234 is the most common passcode and the other passcodes follow typical formulas, such as four identical digits (0000,1111,5555,2222) or moving in a line up or down the pad (2580 & 0852). 5683 isn’t instantly clear, but if you look carefully at the letters on the numbers you will see it spells “love”.

In 2010 Imperva released a study analyzing 32 million passwords and found that the 10 most commonly used passwords for computers and Internet accounts were:

  • 123456
  • 12345
  • 123456789
  • Password
  • iloveyou
  • princess
  • rockyou
  • 1234567
  • 12345678
  • abc123

Online Banking SMS Authentication Messages Open To Attack

RSA LogoRSA are publishing a report warning of increasing attempts by cyber criminals to intercept online banking SMS messages which are used to authenticate users for online services.

Authentication tokens (normally a randomized six digit number or similar code) sent by SMS are becoming more and more popular. For example, The Commonwealth Bank of Australia claims that 80% of its online customers use their NetCode SMS service for authentication and have recently announced that the service will now be mandatory for “higher risk” transactions. The knock-on effect will be that hackers will increase their efforts to intercept these SMS messages to gain access to online accounts.

This warning comes at a time when it is now possible to eavesdrop GSM phones with cheap off-the-shelf equipment. Of course, a two step authentication process (username/password and then authentication token) is much better than just simple login authentication. However a better and more secure approach is the use of a hand held card reader which in combination with your bank card and PIN generate a unique, one-time code for use during login.

You can read more about this on ZDNet Australia.

European Security Agency Publishes Report About the Security Risks of Smartphones

With the smartphones becoming more and more part of our daily lives, the European Network and Information Security Agency (ENISA) has published a new report detailing the top security risks of smartphone use and gives practical security advice for businesses, consumers and governments.

According to Gartner worldwide smartphone sales doubled last year and 80 million were sold worldwide in Q3 2010 alone. Any prevalent technology can pose security risks and the 61 page ENISA report lists several key risks including:

  • Data leakage: a stolen or lost phone with unprotected memory allows an attacker to access the data on it.
  • Unintentional data disclosure: most apps have privacy settings but many users are unaware (or do not recall) that the data is being transmitted, let alone know of the existence of the settings to prevent this.
  • Phishing: an attacker collects user credentials (e.g. passwords, credit card numbers) using fake apps or SMS/Email messages that seem genuine.

The report goes on the highlight the risks of Spyware, network spoofing attacks and diallerware (where an attacker steals money from the user by means of malware that makes hidden use of premium SMS services or numbers).

For consumers ENISA make the following recommendations:

  • Always configure your smartphone in such a way that it locks automatically after some minutes.
  • Before installing or using new smartphone apps or services, check their reputation. Never install any software onto the device unless it is from a trusted source and you were expecting to receive it.
  • Scrutinize permission requests when using or installing smartphone apps or services.

For consumers and businesses the report underlines the importance of properly decommissioning a phone before it is disposed of or transferred to another user. In such cases it is essential to wipe all the data and settings from the smartphone.

For government officials the ENISA recommends that sensitive data isn’t stored locally, that encryption software is used and the the smartphones should be periodically wiped (using secure deletion) and reloaded with a specially prepared and tested image.

Free Android apps Steal Personal Data; Send it to China

According to Computerworld, between one and four million users of Android phones have downloaded wallpaper apps that take personal data from the phone and transmit it to a Chinese-owned server.

Over 80 wallpaper apps created by a pair of developers — “callmejack” and “IceskYsl@1sters!” — include code that accesses users’ personal data, said Kevin Mahaffey, chief technology officer and a co-founder of Lookout, a San Francisco-based mobile security company.

A large number of free wallpaper apps in the Android Market scrape the phone number; the user-specific subscriber identifier, also know as the IMSI (International Mobile Subscriber Identity); the phone’s SIM card’s serial number; and the currently-entered voicemail number from the phone.

That information is then transmitted to a server that Internet records show is registered to a resident of Shenzhen, a city in China’s Guangdong province, just north of Hong Kong.

Source: [Computerworld]